Multiple flaws in Microsoft macOS apps unpatched despite potential risks

Cisco Talos says eight vulnerabilities in Microsoft’s macOS apps could be abused by nefarious types to record video and sound from a user’s device, access sensitive data, log user input, and escalate privileges. The vulnerabilities exist across Excel, OneNote, Outlook, PowerPoint, Teams, and Word, but Microsoft told Talos it won’t be fixing them. … Despite designating these vulnerabilities low-risk status and refusing to patch them, Microsoft has since updated its Teams apps, and OneNote, removing the entitlement that allowed library injection, essentially mitigating the bugs. The Office apps were left untouched, though, and to Benvenuto remain unnecessarily vulnerable.

Multiple Microsoft Apps for macOS Vulnerable to Library Injection Attacks

Widely used Microsoft apps for macOS are vulnerable to library injection attacks that let adversaries use the applications’ entitlements to bypass macOS’s strict permission-based security model and controls.

Attackers can abuse the vulnerable apps to execute a variety of malicious actions — like surreptitiously sending emails from a user’s account or recording audio and video clips — without the user’s knowledge and without the need for any user interaction.

Researchers from Cisco Talos recently discovered the issues when researching the exploitability of Apple’s Transparency, Consent and Control ( TCC) framework for managing and enforcing privacy settings on user data and various system services on macOS systems